I've setup a source type and am currently ingesting our MySQL slow query logs.
To get Splunk to recognize new entries properly I've added the following to my props.conf found at http://answers.splunk.com/answers/13109/mysql-slow-query-log-parsing.html
[mysqlslow]
# Use LINE_BREAKER to segment events. An event may start with either "Time:"" or "User@Host:".
# Look for a semicolon (termination of previous event) followed by one of those items.
# However, the very first entry won't have a ";" before it. Instead it is preceeded by "Argument".
LINE_BREAKER = (?:;|Argument)(\n)(?:\# Time: |\# User@Host: )
SHOULD_LINEMERGE = false
TRUNCATE = 0
Now I need to have a field extraction for the query itself. The above mentioned page recommends
EXTRACT-mysqlslow-query-line = \n(?<query>[^#].*)$
So that's not working at all for me. Splunk seems to be ignoring it completely.
Below is an example of what the log looks like. I need to abstract everything after the SET timestamp=1410815181;
Any help would be greatly appreciated.
# User@Host: db_probe[db_probe] @ [x.x.x.x]
# Query_time: 2.055869 Lock_time: 0.000081 Rows_sent: 6 Rows_examined: 2933112
SET timestamp=1410815181;
SELECT run_code, oid_job_log, log_path_file
FROM rcodb.job_log job
WHERE
server = 'xxxxx'
AND update_timestamp > now() - INTERVAL 30 MINUTE
ORDER BY run_code;
... View more